npm - @benjavicente/start-client-core - Versions diffs - 1.167.9 → 1.168.2 - Mend

@benjavicente/start-client-core 1.167.9 → 1.168.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (51) hide show

package/dist/esm/client/hydrateStart.js +4 -2
package/dist/esm/client/hydrateStart.js.map +1 -1
package/dist/esm/client-rpc/serverFnFetcher.d.ts +21 -0
package/dist/esm/client-rpc/serverFnFetcher.js +94 -71
package/dist/esm/client-rpc/serverFnFetcher.js.map +1 -1
package/dist/esm/createCsrfMiddleware.d.ts +46 -0
package/dist/esm/createCsrfMiddleware.js +63 -0
package/dist/esm/createCsrfMiddleware.js.map +1 -0
package/dist/esm/createMiddleware.d.ts +4 -0
package/dist/esm/createMiddleware.js.map +1 -1
package/dist/esm/createServerFn.d.ts +44 -31
package/dist/esm/createServerFn.js +1 -1
package/dist/esm/createServerFn.js.map +1 -1
package/dist/esm/fake-entries/plugin-adapters.d.ts +3 -0
package/dist/esm/fake-entries/plugin-adapters.js +7 -0
package/dist/esm/fake-entries/plugin-adapters.js.map +1 -0
package/dist/esm/fake-entries/router.d.ts +1 -0
package/dist/esm/fake-entries/router.js +6 -0
package/dist/esm/fake-entries/router.js.map +1 -0
package/dist/esm/{fake-start-entry.d.ts → fake-entries/start.d.ts} +0 -1
package/dist/esm/fake-entries/start.js +6 -0
package/dist/esm/fake-entries/start.js.map +1 -0
package/dist/esm/getDefaultSerovalPlugins.d.ts +2 -1
package/dist/esm/getDefaultSerovalPlugins.js.map +1 -1
package/dist/esm/index.d.ts +4 -1
package/dist/esm/index.js +3 -1
package/dist/esm/tests/createCsrfMiddleware.test.d.ts +1 -0
package/package.json +9 -10
package/skills/start-core/SKILL.md +11 -7
package/skills/start-core/auth-server-primitives/SKILL.md +410 -0
package/skills/start-core/deployment/SKILL.md +9 -0
package/skills/start-core/execution-model/SKILL.md +68 -19
package/skills/start-core/middleware/SKILL.md +42 -9
package/skills/start-core/server-functions/SKILL.md +115 -17
package/src/client/hydrateStart.ts +12 -6
package/src/client-rpc/serverFnFetcher.ts +132 -103
package/src/createCsrfMiddleware.ts +197 -0
package/src/createMiddleware.ts +4 -0
package/src/createServerFn.ts +192 -63
package/src/fake-entries/plugin-adapters.ts +4 -0
package/src/fake-entries/router.ts +1 -0
package/src/{fake-start-entry.ts → fake-entries/start.ts} +0 -1
package/src/getDefaultSerovalPlugins.ts +2 -1
package/src/index.tsx +16 -0
package/src/start-entry.d.ts +9 -2
package/src/tests/createCsrfMiddleware.test.ts +290 -0
package/src/tests/createServerFn.test-d.ts +152 -2
package/src/tests/createServerMiddleware.test-d.ts +16 -3
package/bin/intent.js +0 -25
package/dist/esm/fake-start-entry.js +0 -7
package/dist/esm/fake-start-entry.js.map +0 -1

package/src/tests/createCsrfMiddleware.test.ts ADDED Viewed

@@ -0,0 +1,290 @@
+import { describe, expect, it, vi } from 'vitest'
+import {
+  createCsrfMiddleware,
+  csrfSymbol,
+  getCsrfRequestValidationResult,
+  isCsrfRequestAllowed,
+} from '../createCsrfMiddleware'
+import type { RequestServerOptions } from '../createMiddleware'
+import type { Register } from '@benjavicente/router-core'
+const requestOrigin = 'https://app.example.com'
+function trackHeaders(init: Record<string, string>) {
+  const headers = new Map(
+    Object.entries(init).map(([key, value]) => [key.toLowerCase(), value]),
+  )
+  const reads: Array<string> = []
+  return {
+    reads,
+    request: {
+      url: `${requestOrigin}/_serverFn/test`,
+      headers: {
+        get(name: string) {
+          reads.push(name)
+          return headers.get(name.toLowerCase()) ?? null
+        },
+      },
+    } as Request,
+  }
+}
+function createContext(init: {
+  headers?: Record<string, string>
+  handlerType?: 'serverFn' | 'router'
+  origin?: string
+}): RequestServerOptions<Register, undefined> {
+  const { request } = trackHeaders(init.headers ?? {})
+  return {
+    request,
+    pathname: new URL(request.url).pathname,
+    context: undefined,
+    next: (() => undefined) as any,
+    handlerType: init.handlerType ?? 'serverFn',
+  }
+}
+async function runMiddleware(
+  middleware: ReturnType<typeof createCsrfMiddleware>,
+  ctx: RequestServerOptions<Register, undefined>,
+) {
+  const next = vi.fn(() => ({ request: ctx.request, pathname: ctx.pathname }))
+  const result = await middleware.options.server!({
+    ...ctx,
+    next,
+  } as any)
+  return { result, next }
+}
+describe('getCsrfRequestValidationResult', () => {
+  it('allows same-origin fetch metadata without reading Origin or Referer', async () => {
+    const { request, reads } = trackHeaders({
+      'Sec-Fetch-Site': 'same-origin',
+      Origin: 'https://evil.example.com',
+      Referer: 'https://evil.example.com/path',
+    })
+    await expect(
+      getCsrfRequestValidationResult({}, createContextFromRequest(request)),
+    ).resolves.toBe(true)
+    expect(reads).toEqual(['Sec-Fetch-Site'])
+  })
+  it.each(['same-site', 'cross-site', 'none', 'invalid'])(
+    'rejects %s fetch metadata',
+    async (fetchSite) => {
+      const ctx = createContext({
+        headers: {
+          'Sec-Fetch-Site': fetchSite,
+          Origin: requestOrigin,
+          Referer: `${requestOrigin}/path`,
+        },
+      })
+      await expect(getCsrfRequestValidationResult({}, ctx)).resolves.toBe(false)
+    },
+  )
+  it('allows matching Origin without reading Referer', async () => {
+    const { request, reads } = trackHeaders({
+      Origin: requestOrigin,
+      Referer: 'https://evil.example.com/path',
+    })
+    await expect(
+      getCsrfRequestValidationResult({}, createContextFromRequest(request)),
+    ).resolves.toBe(true)
+    expect(reads).toEqual(['Sec-Fetch-Site', 'Origin'])
+  })
+  it('rejects mismatched Origin without reading Referer', async () => {
+    const { request, reads } = trackHeaders({
+      Origin: 'https://evil.example.com',
+      Referer: `${requestOrigin}/path`,
+    })
+    await expect(
+      getCsrfRequestValidationResult({}, createContextFromRequest(request)),
+    ).resolves.toBe(false)
+    expect(reads).toEqual(['Sec-Fetch-Site', 'Origin'])
+  })
+  it.each([
+    requestOrigin,
+    `${requestOrigin}/path`,
+    `${requestOrigin}?query=1`,
+    `${requestOrigin}#hash`,
+  ])('allows same-origin Referer fallback: %s', async (referer) => {
+    const ctx = createContext({ headers: { Referer: referer } })
+    await expect(getCsrfRequestValidationResult({}, ctx)).resolves.toBe(true)
+  })
+  it.each([
+    'https://evil.example.com/path',
+    `${requestOrigin}.evil/path`,
+    `${requestOrigin}:443/path`,
+  ])('rejects cross-origin Referer fallback: %s', async (referer) => {
+    const ctx = createContext({ headers: { Referer: referer } })
+    await expect(getCsrfRequestValidationResult({}, ctx)).resolves.toBe(false)
+  })
+  it('returns undefined for requests without origin check headers', async () => {
+    const ctx = createContext({})
+    await expect(
+      getCsrfRequestValidationResult({}, ctx),
+    ).resolves.toBeUndefined()
+  })
+  it('rejects empty Referer header as known invalid origin check', async () => {
+    const ctx = createContext({ headers: { Referer: '' } })
+    await expect(getCsrfRequestValidationResult({}, ctx)).resolves.toBe(false)
+  })
+  it('rejects missing origin check headers by default', async () => {
+    const ctx = createContext({})
+    await expect(isCsrfRequestAllowed({}, ctx)).resolves.toBe(false)
+  })
+  it('allows missing origin check headers with the opt-in', async () => {
+    const ctx = createContext({})
+    await expect(
+      isCsrfRequestAllowed({ allowRequestsWithoutOriginCheck: true }, ctx),
+    ).resolves.toBe(true)
+  })
+  it('does not allow invalid origin check headers with the opt-in', async () => {
+    const ctx = createContext({ headers: { 'Sec-Fetch-Site': 'cross-site' } })
+    await expect(
+      isCsrfRequestAllowed({ allowRequestsWithoutOriginCheck: true }, ctx),
+    ).resolves.toBe(false)
+  })
+  it('uses custom origin matchers', async () => {
+    const ctx = createContext({
+      headers: { Origin: 'https://preview.example.com' },
+    })
+    await expect(
+      getCsrfRequestValidationResult(
+        { origin: ['https://app.example.com', 'https://preview.example.com'] },
+        ctx,
+      ),
+    ).resolves.toBe(true)
+  })
+  it('uses custom Sec-Fetch-Site matchers', async () => {
+    const ctx = createContext({ headers: { 'Sec-Fetch-Site': 'same-site' } })
+    await expect(
+      getCsrfRequestValidationResult(
+        { secFetchSite: ['same-origin', 'same-site'] },
+        ctx,
+      ),
+    ).resolves.toBe(true)
+  })
+  it('reads request URL origin only when needed', async () => {
+    const getUrl = vi.fn(() => `${requestOrigin}/_serverFn/test`)
+    const sameOriginFetch = createContext({
+      headers: { 'Sec-Fetch-Site': 'same-origin' },
+    })
+    Object.defineProperty(sameOriginFetch.request, 'url', { get: getUrl })
+    await expect(
+      getCsrfRequestValidationResult({}, sameOriginFetch),
+    ).resolves.toBe(true)
+    expect(getUrl).not.toHaveBeenCalled()
+    const originFallback = createContext({
+      headers: { Origin: requestOrigin },
+    })
+    Object.defineProperty(originFallback.request, 'url', { get: getUrl })
+    await expect(
+      getCsrfRequestValidationResult({}, originFallback),
+    ).resolves.toBe(true)
+    expect(getUrl).toHaveBeenCalledTimes(1)
+  })
+})
+describe('createCsrfMiddleware', () => {
+  it('marks middleware with csrfSymbol in non-production environments', () => {
+    const middleware = createCsrfMiddleware()
+    expect(csrfSymbol in middleware).toBe(true)
+  })
+  it('protects router requests by default', async () => {
+    const middleware = createCsrfMiddleware()
+    const ctx = createContext({ handlerType: 'router' })
+    const { result, next } = await runMiddleware(middleware, ctx)
+    expect(next).not.toHaveBeenCalled()
+    expect(result).toBeInstanceOf(Response)
+    expect((result as Response).status).toBe(403)
+  })
+  it('protects server function requests by default', async () => {
+    const middleware = createCsrfMiddleware()
+    const ctx = createContext({ handlerType: 'serverFn' })
+    const { result, next } = await runMiddleware(middleware, ctx)
+    expect(next).not.toHaveBeenCalled()
+    expect(result).toBeInstanceOf(Response)
+    expect((result as Response).status).toBe(403)
+  })
+  it('filters requests', async () => {
+    const middleware = createCsrfMiddleware({ filter: () => false })
+    const ctx = createContext({ handlerType: 'serverFn' })
+    const { next } = await runMiddleware(middleware, ctx)
+    expect(next).toHaveBeenCalledTimes(1)
+  })
+  it('can filter to server function requests', async () => {
+    const middleware = createCsrfMiddleware({
+      filter: (ctx) => ctx.handlerType === 'serverFn',
+    })
+    const ctx = createContext({ handlerType: 'router' })
+    const { next } = await runMiddleware(middleware, ctx)
+    expect(next).toHaveBeenCalledTimes(1)
+  })
+  it('uses custom failure responses', async () => {
+    const middleware = createCsrfMiddleware({
+      failureResponse: new Response('CSRF failed', { status: 419 }),
+    })
+    const ctx = createContext({ handlerType: 'serverFn' })
+    const { result } = await runMiddleware(middleware, ctx)
+    expect((result as Response).status).toBe(419)
+    await expect((result as Response).text()).resolves.toBe('CSRF failed')
+  })
+})
+function createContextFromRequest(
+  request: Request,
+): RequestServerOptions<Register, undefined> {
+  return {
+    request,
+    pathname: new URL(request.url).pathname,
+    context: undefined,
+    next: (() => undefined) as any,
+    handlerType: 'serverFn',
+  }
+}

package/src/tests/createServerFn.test-d.ts CHANGED Viewed

@@ -6,6 +6,7 @@ import type { ServerFnMeta } from '../constants'
 import type {
   Constrain,
   Register,
+  SerializationError,
   TsrSerializable,
   ValidateSerializableInput,
   Validator,
@@ -512,7 +513,134 @@ test('createServerFn returns undefined', () => {
 test('createServerFn cannot return function', () => {
   expectTypeOf(createServerFn().handler<{ func: () => 'func' }>)
     .parameter(0)
-    .returns.toEqualTypeOf<{ func: 'Function is not serializable' }>()
+    .returns.toEqualTypeOf<{
+      func: SerializationError<'Function may not be serializable'>
+    }>()
+})
+test('createServerFn strict false can validate and return function', () => {
+  const fn = createServerFn({ method: 'GET', strict: false })
+    .inputValidator((input: { func: () => 'input' }) => ({
+      output: input.func(),
+    }))
+    .handler(({ data }) => {
+      expectTypeOf(data).toEqualTypeOf<{ output: 'input' }>()
+      return {
+        func: () => 'func' as const,
+      }
+    })
+  expectTypeOf(fn).parameter(0).toEqualTypeOf<{
+    data: { func: () => 'input' }
+    headers?: HeadersInit
+    signal?: AbortSignal
+    fetch?: CustomFetch
+  }>()
+  expectTypeOf(fn({ data: { func: () => 'input' } })).toEqualTypeOf<
+    Promise<{
+      func: () => 'func'
+    }>
+  >()
+})
+test('createServerFn strict false factory preserves strictness', () => {
+  const createServerFnWithoutSerializationCheck = createServerFn({
+    strict: false,
+  })
+  const myServerFn = createServerFnWithoutSerializationCheck()
+    .inputValidator((input: { func: () => 'input' }) => ({
+      output: input.func(),
+    }))
+    .handler(({ data }) => {
+      expectTypeOf(data).toEqualTypeOf<{ output: 'input' }>()
+      return {
+        func: () => 'func' as const,
+      }
+    })
+  expectTypeOf(myServerFn).parameter(0).toEqualTypeOf<{
+    data: { func: () => 'input' }
+    headers?: HeadersInit
+    signal?: AbortSignal
+    fetch?: CustomFetch
+  }>()
+  expectTypeOf(myServerFn({ data: { func: () => 'input' } })).toEqualTypeOf<
+    Promise<{
+      func: () => 'func'
+    }>
+  >()
+})
+test('createServerFn strict input false can validate function', () => {
+  const fn = createServerFn({ strict: { input: false } })
+    .inputValidator((input: { func: () => 'input' }) => ({
+      output: input.func(),
+    }))
+    .handler(({ data }) => {
+      expectTypeOf(data).toEqualTypeOf<{ output: 'input' }>()
+      return {
+        value: 'serializable' as const,
+      }
+    })
+  expectTypeOf(fn).parameter(0).toEqualTypeOf<{
+    data: { func: () => 'input' }
+    headers?: HeadersInit
+    signal?: AbortSignal
+    fetch?: CustomFetch
+  }>()
+  expectTypeOf(fn({ data: { func: () => 'input' } })).toEqualTypeOf<
+    Promise<{
+      value: 'serializable'
+    }>
+  >()
+})
+test('createServerFn strict output false can return function', () => {
+  const fn = createServerFn({ strict: { output: false } }).handler(() => ({
+    func: () => 'func' as const,
+  }))
+  expectTypeOf(fn()).toEqualTypeOf<
+    Promise<{
+      func: () => 'func'
+    }>
+  >()
+  const promiseFn = createServerFn({ strict: { output: false } }).handler(() =>
+    Promise.resolve({
+      func: () => 'func' as const,
+    }),
+  )
+  expectTypeOf(promiseFn()).toEqualTypeOf<
+    Promise<{
+      func: () => 'func'
+    }>
+  >()
+})
+test('ServerFnReturnType skips serialization when strict is false', () => {
+  expectTypeOf<
+    ServerFnReturnType<Register, { func: () => 'func' }, false>
+  >().toEqualTypeOf<{
+    func: () => 'func'
+  }>()
+})
+test('ServerFnReturnType skips serialization when strict output is false', () => {
+  expectTypeOf<
+    ServerFnReturnType<Register, { func: () => 'func' }, { output: false }>
+  >().toEqualTypeOf<{
+    func: () => 'func'
+  }>()
 })
 test('createServerFn cannot validate function', () => {
@@ -525,7 +653,29 @@ test('createServerFn cannot validate function', () => {
     .toEqualTypeOf<
       Constrain<
         (input: { func: () => 'string' }) => { output: 'string' },
-        Validator<{ func: 'Function is not serializable' }, any>
+        Validator<
+          { func: SerializationError<'Function may not be serializable'> },
+          any
+        >
+      >
+    >()
+})
+test('createServerFn strict output false still checks input', () => {
+  const validator = createServerFn({
+    method: 'GET',
+    strict: { output: false },
+  }).inputValidator<(input: { func: () => 'string' }) => { output: 'string' }>
+  expectTypeOf(validator)
+    .parameter(0)
+    .toEqualTypeOf<
+      Constrain<
+        (input: { func: () => 'string' }) => { output: 'string' },
+        Validator<
+          { func: SerializationError<'Function may not be serializable'> },
+          any
+        >
       >
     >()
 })

package/src/tests/createServerMiddleware.test-d.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import { expectTypeOf, test } from 'vitest'
 import { createMiddleware } from '../createMiddleware'
 import type { RequestServerNextFn } from '../createMiddleware'
 import type { ConstrainValidator, CustomFetch } from '../createServerFn'
-import type { Register } from '@benjavicente/router-core'
+import type { Register, SerializationError } from '@benjavicente/router-core'
 import type { ServerFnMeta } from '../constants'
 test('createServeMiddleware removes middleware after middleware,', () => {
@@ -573,7 +573,10 @@ test('createMiddleware sendContext cannot send a function', () => {
         .parameter(0)
         .exclude<undefined>()
         .toHaveProperty('sendContext')
-        .toEqualTypeOf<{ func: 'Function is not serializable' } | undefined>()
+        .toEqualTypeOf<
+          | { func: SerializationError<'Function may not be serializable'> }
+          | undefined
+        >()
       return next()
     })
@@ -582,7 +585,10 @@ test('createMiddleware sendContext cannot send a function', () => {
         .parameter(0)
         .exclude<undefined>()
         .toHaveProperty('sendContext')
-        .toEqualTypeOf<{ func: 'Function is not serializable' } | undefined>()
+        .toEqualTypeOf<
+          | { func: SerializationError<'Function may not be serializable'> }
+          | undefined
+        >()
       return next()
     })
@@ -669,6 +675,7 @@ test('createMiddleware with type request, no middleware or context', () => {
       next: RequestServerNextFn<{}, undefined>
       pathname: string
       context: undefined
+      handlerType: 'serverFn' | 'router'
       serverFnMeta?: ServerFnMeta
     }>()
@@ -692,6 +699,7 @@ test('createMiddleware with type request, no middleware with context', () => {
       next: RequestServerNextFn<{}, undefined>
       pathname: string
       context: undefined
+      handlerType: 'serverFn' | 'router'
       serverFnMeta?: ServerFnMeta
     }>()
@@ -716,6 +724,7 @@ test('createMiddleware with type request, middleware and context', () => {
         next: RequestServerNextFn<{}, undefined>
         pathname: string
         context: undefined
+        handlerType: 'serverFn' | 'router'
         serverFnMeta?: ServerFnMeta
       }>()
@@ -740,6 +749,7 @@ test('createMiddleware with type request, middleware and context', () => {
         next: RequestServerNextFn<{}, undefined>
         pathname: string
         context: { a: string }
+        handlerType: 'serverFn' | 'router'
         serverFnMeta?: ServerFnMeta
       }>()
@@ -763,6 +773,7 @@ test('createMiddleware with type request can return Response directly', () => {
       next: RequestServerNextFn<{}, undefined>
       pathname: string
       context: undefined
+      handlerType: 'serverFn' | 'router'
       serverFnMeta?: ServerFnMeta
     }>()
@@ -783,6 +794,7 @@ test('createMiddleware with type request can return Promise<Response>', () => {
       next: RequestServerNextFn<{}, undefined>
       pathname: string
       context: undefined
+      handlerType: 'serverFn' | 'router'
       serverFnMeta?: ServerFnMeta
     }>()
@@ -798,6 +810,7 @@ test('createMiddleware with type request can return sync Response', () => {
       next: RequestServerNextFn<{}, undefined>
       pathname: string
       context: undefined
+      handlerType: 'serverFn' | 'router'
       serverFnMeta?: ServerFnMeta
     }>()

package/bin/intent.js DELETED Viewed

@@ -1,25 +0,0 @@
-#!/usr/bin/env node
-// Auto-generated by @tanstack/intent setup
-// Exposes the intent end-user CLI for consumers of this library.
-// Commit this file, then add to your package.json:
-//   "bin": { "intent": "./bin/intent.js" }
-try {
-  await import('@tanstack/intent/intent-library')
-} catch (e) {
-  const isModuleNotFound =
-    e?.code === 'ERR_MODULE_NOT_FOUND' || e?.code === 'MODULE_NOT_FOUND'
-  const missingIntentLibrary =
-    typeof e?.message === 'string' && e.message.includes('@tanstack/intent')
-  if (isModuleNotFound && missingIntentLibrary) {
-    console.error('@tanstack/intent is not installed.')
-    console.error('')
-    console.error('Install it as a dev dependency:')
-    console.error('  npm add -D @tanstack/intent')
-    console.error('')
-    console.error('Or run directly:')
-    console.error('  npx @tanstack/intent@latest list')
-    process.exit(1)
-  }
-  throw e
-}

package/dist/esm/fake-start-entry.js DELETED Viewed

@@ -1,7 +0,0 @@
-//#region src/fake-start-entry.ts
-var startInstance = void 0;
-var getRouter = () => {};
-//#endregion
-export { getRouter, startInstance };
-//# sourceMappingURL=fake-start-entry.js.map

package/dist/esm/fake-start-entry.js.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"file":"fake-start-entry.js","names":[],"sources":["../../src/fake-start-entry.ts"],"sourcesContent":["export const startInstance = undefined\nexport const getRouter = () => {}\n"],"mappings":";AAAA,IAAa,gBAAgB,KAAA;AAC7B,IAAa,kBAAkB"}